The massive data breach at Equifax appears to highlight a security vulnerability for many large companies — they do not maintain a proper inventory of their applications.
Equifax confirmed on Wednesday that the hackers exploited a flaw in Apache Struts, a popular open source framework for creating Java apps. The breach, which may have exposed the personal data of as many as 143 million U.S. consumers, occurred in mid-May.
However, a patch for the vulnerability known as Apache Struts CVE-2017-5638 was made available on March 7, the same day it was announced — raising questions about Equifax’s security practices.
“The Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” The Apache Foundation, which oversees the Apache Struts software, said Thursday in a blog post.
Equifax has yet to account for its apparent failure to install the patch. But as USA Today reports, the process of patching a flaw in applications software “isn’t as simple as just downloading a new version of Java.”
“It requires searching the company’s entire portfolio of applications to look for known and newly-reported vulnerabilities, then updating to the latest version of those applications,” USA Today said. “It is then often necessary to rewrite the applications so they match the other software the company is using. Then everything must be retested and redeployed.”
Ars Technica noted that some websites “may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don’t break key functions on the site.”
For Ilia Kolochenko, CEO of High-Tech Bridge, a Swiss web security company, “The sad and inconvenient truth is that a majority of large companies have similar challenges, problems and weakness in their cybersecurity.”
“Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months,” he told USA Today.
Patching can take time, even for large corporations with dedicated security staff, said Jeff Williams, co-founder of Contrast Security.